First Last Prev Next    This bug is not in your last search results.
Bug 46595 - SAML failover does not work
SAML failover does not work
Status: NEW
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-12 12:47 CET by Erik Damrose
Modified: 2019-03-08 16:46 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2018-03-12 12:47:49 CET 
UCS 4.3 master, backup, 2 dc slaves.
Test according to product tests: Login into 1 slave UMC, poweroff the DC the sso login was done against (check the syslog for that information).

Login to the second slave umc should work because a valid session is shared via memchached. However, the login fails, the regular UMC login window is shown (no sso login)

On the DC Backup the syslog shows:
Mar 12 12:38:44 backup96 simplesamlphp[4653]: 5 STAT [c9c79990cf] saml20-idp-SSO https://slave98.ucs.local/univention/saml/metadata https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/master.ucs.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] Backtrace:
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 11 /usr/share/simplesamlphp/www/_include.php:84 (SimpleSAML_error_handler)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 10 [builtin] (MemcachePool::get)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 9 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:50 (SimpleSAML_Memcache::get)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 8 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:42 (SimpleSAML_Store_Memcache::get)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 7 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:52 (SimpleSAML_SessionHandlerStore::loadSession)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:325 (SimpleSAML_Session::getSession)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 5 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:245 (SimpleSAML_Session::getSessionFromRequest)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:54 (SimpleSAML_Auth_Simple::isAuthenticated)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:264 (SimpleSAML_IdP::isAuthenticated)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:404 (SimpleSAML_IdP::handleAuthenticationRequest)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:389 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)


But the local memcached on the backup has a valid session:
nc -U /var/run/univention-saml/memcached.socket
stats items
stats cachedump 8 1
ITEM simpleSAMLphp.session.1ede7df8ecb7ad06f61c6e436a4c9c60 [357 b; 1520883452 s]
END
Comment 1 Erik Damrose univentionstaff 2018-03-12 12:48:20 CET 
# ucr get saml/idp/authsource 
univention-ldap
Comment 2 Jürn Brodersen univentionstaff 2018-03-13 20:48:37 CET 
In theory "82_saml/19_IdP_on_backup" should test that.
Comment 3 Daniel Tröder univentionstaff 2018-05-08 12:20:51 CEST 
This may be a browser DNS resolution timing problem.

I managed to get it working by giving the browser time to contact the 2nd address ucs-soo resolves to (but it didn't always work).

When it had worked, when logging out, my browser was redirected from the slave to the master - which wasn't available, resulting in an error page. The redirected URL was:

https://<master FQDN>/univention/saml/slo/?SAMLRequest=jZJRb9sgEM...

This may be a separate bug.
Comment 4 Jürn Brodersen univentionstaff 2018-07-31 18:45:50 CEST 
(In reply to Jürn Brodersen from comment #2)
> In theory "82_saml/19_IdP_on_backup" should test that.

Ok it seems that test doesn't check the failover, only the load balancing.
First Last Prev Next    This bug is not in your last search results.